This topic gives you instructions on how to
set up your z/OS® environment
to run the Security Key Lifecycle Manager for z/OS.
Install the Security Key Lifecycle Manager for z/OS as
instructed in the Program Directory document. See, Program Directory
for IBM Security Key Lifecycle Manager for z/OS.
The Security Key Lifecycle Manager for z/OS requires
the IBM® Java Software Developer Kit 5.0 or 6.0. See Hardware and Software Requirements. This topic was explained
briefly in Planning your Security Key Lifecycle Manager for z/OS Environment. There
are many possible ways you can set up your Security Key Lifecycle Manager for z/OS.
This section shows you how to setup keys for the four possible keystore
types:
- JCEKS
- JCECCAKS
- JCERACFKS
- JCECCARACFKS
For
JCECCARACFKS and JCERACFKS type keystores, it is highly encouraged
that you do not use the same character alias or label names that differ
only by case for example, MyKey and mykey. A search mismatch can occur
when storing or retrieving information from a JCECCARACFKS and JCERACFKS
keystore when using same character label or alias names differing
only by case.
This topic also shows you how to run the Security Key Lifecycle Manager for z/OS in
production mode.
Attention: The Security Key Lifecycle Manager for z/OS performs
the function of requesting the generation of encryption keys. The
product then passes those keys to the TS1120,
TS1130, TS1140, LTO Ultrium 4,
or LTO Ultrium 5 tape
drives, and DS8000. The key material, in wrapped (encrypted) form
resides in system memory during processing by the Security Key Lifecycle Manager for z/OS.
The key material must be transferred without error to the appropriate
tape drive so that data can be recovered (decrypted). If a corrupted
key material is used to write data to a cartridge, then the data written
to that cartridge cannot be recovered. There are safeguards to make
sure that such data errors do not occur. If the machine hosting the Security Key Lifecycle Manager for z/OS is
not using Error Correction Code (ECC) memory, the key material can
become corrupted while in system memory. The corruption can then cause
data loss. The chance of this occurrence is small, but for best practices
use ECC memory for machines hosting critical applications.